[TriLUG] OT: Finding/Notifying People with Worm-infested PC's

Jon Carnes jonc at nc.rr.com
Wed Apr 21 08:30:02 EDT 2004 

On Wed, 2004-04-21 at 07:06, Magnus Hedemark wrote:
> On Tue, 20 Apr 2004, Jaimie Livingston wrote:
> 
> > So, what's the concensus on finding and/or notifying user/admins who have
> > worm-infested PC's up on the Internet? 
> 
> It's often very hard.  Who do you notify?  You have an IP address that 
> resolves to some giant broadband ISP's DHCP pool, and maybe the results of 
> a nessus scan that show that the host that was trying to crack your box 
> was actually a cracked box itself.
> 
> You can try emailing abuse@ but usually nothing comes of it.  The folks 
> that read those emails often seem capable only of dealing with run of the 
> mill spam.  Any time an incident report is provided that goes beyond that, 
> it's a time sink that is ignored.
> 
Hmmm... Too negative! You really have to at least try. You need to send
the alert and as much info as you can gather easily.

I had to contact one of my stand-alone customers (they run their own
firewall) just two days ago and have them pull their web server
off-line. Their infected machine scans hit one of our network honey-pots
which let us know that they had been taken over. If the scans hadn't
started with the local network we wouldn't have known about it unless
some affected person dropped us a note.

The customer in question wasn't happy about the news but they responded
immediately, and they appreciated the alert. It let them handle the
problem before worse things happened.

> > I have a small web-server that I run at home for personal and development
> > use, and I've been tagged by a few Worm-infested Windoze boxes, probably
> > some home PCs that the users have running wide open on the Internet. I have
> > the IP addresses, some from RR, and would like to find these people and let
> > them know that they are doing the world a disservice by leaving an infected
> > Windows box up and running, and maybe give them some pointers on how to
> > prevent such a thing from happening. 
> 
> Good chance you'll get someone like my grandmother who doesn't know or 
> care to know how to secure her system, and once she has your email address 
> you'll never get out from under the crushing load of chain letters she'll 
> forward your way.  The people who actually care are few and far between.

Contact the ISP that feeds Granny her connection. The AUP for most ISP's
gives them the right to cut Granny off if she doesn't respond to the
complaint.  And believe me, the ISP does *not* want Granny's infected
machine on their network.

Jon Carnes

More information about the TriLUG mailing list